S3 pre signed url with block public access on a bucket

0

Customer is trying to block public access on a bucket but provide indirect access via pre signed url

Is pre signed url supported on a bucket with block public access, as they recall url pre-signing can only be done with an IAM user. Is that still the case or can they use a role that is attached to the node? In the past, the temp credentials given to an instance role is short lived and therefore unsuitable for something to share externally?

Can they have a custom domain on the pre signed url, if this is not supported then any workaround with Cloudfront, API GW, Lambda?

已提問 4 年前檢視次數 5079 次
1 個回答
0
已接受的答案

Yes, presigned URL are working with public block access Buckets.

  • The easiest way to implement this is to create a frontend with an API gateway that call a lambda, calling S3API to generate a signed URL. this is valid both for upload and download.

  • if you don't want to use an API gateway you can have a front end web server,

This is an article that explain the entire process: generate presigned URL using API gateway and lambda if you need to download the file is something along these lines:

async function getDownloadUrl (file) {
  const { key, versionId } = file
  const params = {
    Bucket: my-test-bucket,,
    Key: 'myDoc/myfile.pdf', //the directory in S3
    VersionId: versionId, //we use S3 versioning
    Expires: 60
  }

  try {
    const url = await new Promise((resolve, reject) => {
      s3.getSignedUrl('getObject', params, function (err, url) {
        if (err) {
          reject(err)
        }
        resolve(url)
      })
    })

    return url
  } catch (err) {
    logger.error('s3 getObject,  get signedUrl failed')
    throw err
  }
}
profile pictureAWS
已回答 4 年前
profile picture
專家
已審閱 1 天前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南